Created attachment 573264[details][diff][review]
patch
The SSA analysis treats certain opcodes as having no fallthrough, and computes type information wrt the resulting CFG. The compiler would still generate code around two of these ops (JSOP_THROW and JSOP_RETRVAL) as if they had a fallthrough, and tripped this assert when generating code to transition from the state after a THROW to the state at the start of the next opcode. The fix just makes the compiler behave consistently with the SSA analysis here.
I don't think this is critical --- when merging the code the compiler can trip asserts but should not crash, and the code it is generating is dead. At the start of the next opcode it will have updated its internal state to reflect the type state at that op and will generate correct code afterwards.

Since the patch was in the Compiler is this unrelated to TI? or is it a regression from that rewriting? In particular, do we need to worry about this affecting Firefox 8 (potential firedrill?) and need to get a patch into Firefox 9 ASAP?
Or is this simply not a security bug at all? That seems to be what you're saying in comment 1.

This change came in with the modifications TI made to JM, so it will not affect Firefox 8 or earlier. It does affect 9+. I don't think this is a security bug, nor do I think it can manifest in a crash or incorrect behavior. That said, it still might be a good idea to take it for Firefox 9 and 10, just to be sure.